Tuesday, November 13, 2012

Have iSight Partners - PayPal - Skype Bypassed Due Process?

The recent incident involving the release of Skype user data to law enforcement by iSight Partners raises serious due process questions; especially considering the rapid growth of the cyber intelligence sector. iSight Security, Inc. dba iSight Partners is a privately owned cyber intelligence firm based in Dallas, TX that was founded by John Watters after he sold iDefense to Verizon. According to their website, the company provides insight into malware actors and threats to their corporate and government clients.

Two of iSight's corporate clients are PayPal and Microsoft's Skype. According to the Dutch journalist who broke the story, PayPal hired iSight to investigate Anonymous after it coordinated DDoS attacks against it in protest to PayPal's blocking payments to Wikileaks in 2011. In the course of doing work for PayPal, iSight discovered the alias of a person who they believed was a member of Anonymous and found that it matched a Skype name. An iSight employee then contacted Skype, another client company of iSight's, and asked for the user data that accompanied the Skype name. Skype complied since it had a contractual relationship with iSight.

NOTE: Apparently if you're a Skype customer, your data can be shared with any other company that partners with Skype per its Privacy policy:

Except as provided below, Skype will not sell, rent, trade or otherwise transfer any personal and/or traffic data or communications content outside of Microsoft and its controlled subsidiaries and affiliates without your explicit permission, unless it is obliged to do so under applicable laws or by order of the competent authorities.

Skype may disclose personal information to respond to legal requirements, exercise our legal rights or defend against legal claims, to protect Skype’s interests, fight against fraud and to enforce our policies or to protect anyone's rights, property, or safety.

Either Skype sees its relationship with iSight as an affiliate or it sees its sharing of info as a way to protect its interests. Either way, it completely bypasses the necessity for a warrant. However, iSight turned that protected information over to the Dutch authorities without being presented with a warrant or having been part of any due process to protect the Dutch citizen's rights.

I understand from a confidential source that Skype (or possibly Microsoft) is investigating iSight's actions in that regard to ensure that it never happens again. This could be especially damaging to Microsoft since it's already on the EU's radar from past legal disputes regarding anti-trust matters. Although I've tried to get iSight to comment on this incident, no one from the company has replied to my email requests.

UPDATE (13 NOV 2012): The larger issue is the question that iSight refuses to answer. Does iSight co-mingle this type of data between client companies and share it with law enforcement or other government organizations thus bypassing privacy rights in the U.S., E.U. and elsewhere?